Systems and methods for top-level domain analysis

ABSTRACT

A system may be configured to identify a Person of Interest by analyzing top level domains. Some implementations may include receiving a target top-level domain (TLD) (e.g., originating from a geographic area of interest). A network packet of internet traffic may be captured and it may be determined that a destination port of the captured network traffic is an open port. A counter may be incremented based on the determined open port and/or determining a payload of the network packet comprises an expression matching the target TLD. An alert associated with the target TLD may be transmitted based on determining the counter exceeds a threshold. The internet traffic may be disrupted based on determining the counter exceeds a threshold.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 63/307,384 filed on Feb. 7, 2022, and entitled “Cyber Security Systems and Methods,” the content of which is incorporated by reference herein in its entirety.

TECHNICAL FIELD

The present disclosure generally relates to systems and methods for implementing a detector of network activity based on automated analysis of top-level domains of connection requests. More particularly, traffic on a network in an area of interest may be monitored, an algorithm may determine whether top-level domains of connection requests associated with the traffic indicate foreign nationals in the area of interest, and one or more intelligence activities may be performed.

BACKGROUND

A physical presence of specific foreign nationals on domestic soil may be important to determine for national security. Specifically, a Person of Interest (POI) to one or more entities (government, corporate, private, etc.) may be believed to be in an Area of Interest (AOI). Although the POI may make efforts to avoid detection by the one or more entities (e.g., using electronic devices that are common in the AOI), the POI may utilize one or more Wi-Fi internet connections. For example, Wi-Fi internet connections (e.g., free or metered) may be found in many public places, such as airports, hospitals, hotels, coffee shops, and restaurants. These “hotspots” are so widespread and common that users frequently connect to them, resulting in the users’ traffic being unencrypted and easily observed. It may be advantageous to detect use of a Wi-Fi internet connection in the AOI by the POI.

SUMMARY

Systems and methods are disclosed for identifying a POI by analyzing top-level domains (TLDs) of connection requests. Accordingly, one or more aspects of the present disclosure relate to a method that may include receiving a target top-level domain (TLD), e.g., from a server or database. Moreover, the TLD may originate from a geographic area of interest. A network packet of internet traffic may be captured. A log entry associated with the network packet may be generated.

It may be determined that a destination port of the captured network traffic is an open port. For example, the destination port may be determined based on a Transmission Control Protocol/Internet Protocol (TCP/IP) Transport Layer (Layer 4) of the network packet. For example, the destination port may be associated with encrypted traffic and the expression may include a name field. In another example, the destination port may be associated with domain name system (DNS) queries and the expression may include a server name indication.

A counter may be incremented based on the determined open port and/or determining a payload of the network packet comprises an expression matching the target TLD. An alert associated with the target TLD may be transmitted based on determining the counter exceeds a threshold. The internet traffic may be disrupted based on determining the counter exceeds a threshold.

The method may be implemented by a system comprising one or more hardware processors configured by machine-readable instructions and/or other components. The system comprises the one or more processors and other components or media, e.g., upon which machine-readable instructions may be executed. Implementations of any of the described techniques and architectures may include a method or process, an apparatus, a device, a machine, a system, or instructions stored on computer-readable storage device(s).

BRIEF DESCRIPTION OF THE DRAWINGS

The details of particular implementations are set forth in the accompanying drawings and description below. Like reference numerals may refer to like elements throughout the specification. Other features will be apparent from the following description, including the drawings and claims. The drawings, though, are for the purposes of illustration and description only and are not intended as a definition of the limits of the disclosure.

FIG. 1 illustrates an example of a TLD analysis system, in accordance with one or more implementations.

FIG. 2 illustrates a TLD analysis architecture, in accordance with one or more implementations.

FIG. 3 illustrates a multi-stage approach for TLD analysis, in accordance with one or more implementations.

FIG. 4 illustrates an OSI Model, in accordance with one or more implementations.

FIG. 5 illustrates a process for TLD analysis, in accordance with one or more implementations.

FIG. 6A is a block diagram of an example apparatus or device, in accordance with one or more implementations.

FIG. 6B is a block diagram of an exemplary computing system, in accordance with one or more implementations.

DETAILED DESCRIPTION

As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). The words “include,” “including,” and “includes” and the like mean including, but not limited to. As used herein, the singular form of “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise. As employed herein, the term “number” shall mean one or an integer greater than one (i.e., a plurality).

As used herein, the statement that two or more parts or components are “coupled” shall mean that the parts are joined or operate together either directly or indirectly, i.e., through one or more intermediate parts or components, so long as a link occurs. As used herein, “directly coupled” means that two elements are directly in contact with each other.

Unless specifically stated otherwise, as apparent from the discussion, it is appreciated that throughout this specification discussions utilizing terms such as “processing,” “computing,” “calculating,” “determining,” or the like refer to actions or processes of a specific apparatus, such as a special purpose computer or a similar special purpose electronic processing/computing device.

As possible US adversaries (e.g., Russia, China, Iran, etc.) exert influence domestically and abroad through military and economic programs, the scope of their actions may be difficult to determine without being able to track their presence through inobtrusive means. Moreover, while traveling, foreign nationals may opt to use indigenous devices that help them electronically blend in better with the local population and limits their digital footprint. Foreign nationals often still access web sites and services located within their country of origin.

Analyzing TLDs of connection requests may enable the identification of foreign nationals in Areas of Interest (AOI). Whenever a website or web application is accessed, a DNS request for the fully qualified domain name (FQDN) may be sent to resolve the site to an IP address. Parsing this FQDN for the top-level domain (TLD) may provide insight on the nationality of the user. For example, a Russian executive may access .ru websites and services.

Some DNS requests may not be observed. This may happen in circumstances where a mobile application utilizes an internal resolver or alternative name resolution means. This may also happen when the device has already resolved the FQDN at a prior point to the period of observation. In these circumstances, TLS analysis for secured connections (HTTPS) may provide a Uniform Resource Indicator (URI) from which a TLD can be parsed. Each connection to a secured service may result in a TLS handshake. A Service Name Indicator extension (SNI) may provide the URI for the specific service on the server for which the user is connecting.

Automated analysis of the TLDs may alert users to the presence of foreign nationals within the AOI. When used with a configured target that contains the TLDs of concern, a user may quickly identify devices in the area. While a single connection request to the TLD may not strongly correlate, exceeding a threshold may strongly indicate a presence of foreign nationals. Likewise, a connection to a single website may cascade into multiple connections for content delivery networks (CDNs) that provide the media on a page. For example, a default threshold trigger value of 50 may prevent a threshold from tripping prematurely due to CDN cascades.

Once a threshold is triggered, a user may be alerted with information regarding the connection (e.g., the foreign national’s MAC address, and the triggering TLD). This information may provide the user with cyber indications and warning (I&W). For example, US forces may need awareness of Russian personnel in an area. Once identified, the US personnel may pivot operations to either avoid engagement or to refocus upon intelligence activities. This may also provide the ability to quickly identify users utilizing dark web services such as Tor, as tor addresses utilize the pseudo-domain of .tor.

According to some implementations, FIG. 1 exemplarily illustrates system 100 configured to identify a POI using TLD analysis. For example, a TLD may be the final component of a domain name. The domain name may be included in one or more of a URI, a Uniform Resource Locator (URL), or a Uniform Resource Name (URN). Moreover, the TLD may be included within an Internet Protocol (IP) packet (e.g., encapsulated by an Ethernet frame). The IP packet may encapsulate a Transmission Control Protocol (TCP) packet and the TCP packet may encapsulate data being transmitted over the network.

In some implementations, at least some functionality of processor 120 may be implemented via artificial intelligence (e.g., one or more machine learning models, such as a neural network).

A contemplated deep learning algorithm may obtain a lot of training data (e.g., comprising network traffic) to optimize training parameters.

Machine learning herein refers to a series of operations to train a machine in order to create a machine which may perform various tasks. Machine learning requires data and learning models. In machine learning, data learning methods may be roughly divided into three methods, that is, supervised learning, unsupervised learning and reinforcement learning.

Neural network learning may minimize output error. Neural network learning refers to a process of repeatedly inputting training data to a neural network, calculating the error of the output and target of the neural network for the training data, back-propagating the error of the neural network from the output layer of the neural network to an input layer in order to reduce the error and updating the weight of each node of the neural network.

Supervised learning may use training data labeled with a correct answer and the unsupervised learning may use training data which is not labeled with a correct answer. That is, for example, in case of supervised learning for data classification, training data may be labeled with a category. The labeled training data may be input to the neural network, and the output (category) of the neural network may be compared with the label of the training data, thereby calculating the error. The calculated error is back-propagated from the neural network backward (that is, from the output layer to the input layer), and the connection weight of each node of each layer of the neural network may be updated according to back-propagation. Change in updated connection weight of each node may be determined according to the learning rate.

Calculation of the neural network for input data and back-propagation of the error may configure a learning cycle (epoch). The learning data is differently applicable according to the number of repetitions of the learning cycle of the neural network. For example, in the early phase of learning of the neural network, a high learning rate may be used to increase efficiency such that the neural network rapidly ensures a certain level of performance and, in the late phase of learning, a low learning rate may be used to increase accuracy. The learning method may vary according to the feature of data. For example, for the purpose of accurately performing TLD analysis, learning may be performed using supervised learning (e.g., rather than unsupervised learning or reinforcement learning).

Electronic storage 150 of FIG. 1 comprises electronic storage media that electronically stores information. The electronic storage media of electronic storage 150 may comprise system storage that is provided integrally (i.e., substantially non-removable) with system 100 and/or removable storage that is removably connectable to system 100 via, for example, a port (e.g., a USB port, a firewire port, etc.) or a drive (e.g., a disk drive, etc.). Electronic storage 150 may be (in whole or in part) a separate component within system 100, or electronic storage 150 may be provided (in whole or in part) integrally with one or more other components of system 100 (e.g., a user interface (UI) device 110, processor 120, etc.). In some implementations, electronic storage 150 may be located in a server together with processor 120, in a server that is part of external resources 140, in UI devices 110, and/or in other locations. Electronic storage 150 may comprise a memory controller and one or more of optically readable storage media (e.g., optical disks, etc.), magnetically readable storage media (e.g., magnetic tape, magnetic hard drive, etc.), electrical charge-based storage media (e.g., EPROM, RAM, etc.), solid-state storage media (e.g., flash drive, etc.), and/or other electronically readable storage media. Electronic storage 150 may store software algorithms, information obtained and/or determined by processor 120, information received via UI devices 110 and/or other external computing systems, information received from external resources 140, and/or other information that enables system 100 to function as described herein.

External resources 140 may include sources of information (e.g., databases, websites, etc.), external entities participating with system 100, one or more servers outside of system 100, a network 160, electronic storage, equipment related to Wi-Fi technology, equipment related to Bluetooth® technology, data entry devices, a power supply (e.g., battery powered or line-power connected, such as directly to 110 volts AC or indirectly via AC/DC conversion), a transmit/receive element (e.g., an antenna configured to transmit and/or receive wireless signals), a network interface controller (NIC), a display controller, a graphics processing unit (GPU), and/or other resources. In some implementations, some or all of the functionality attributed herein to external resources 140 may be provided by other components or resources included in system 100. Processor 120, external resources 140, UI device 110, electronic storage 150, a network, and/or other components of system 100 may be configured to communicate with each other via wired and/or wireless connections, such as a network (e.g., a local area network (LAN), the Internet, a wide area network (WAN), a radio access network (RAN), a public switched telephone network (PSTN), etc.), cellular technology (e.g., GSM, UMTS, LTE, 5G, etc.), Wi-Fi technology, another wireless communications link (e.g., radio frequency (RF), microwave, infrared (IR), ultraviolet (UV), visible light, cm wave, mm wave, etc.), a base station, and/or other resources.

UI device(s) 110 of system 100 may be configured to provide an interface between one or more users and system 100, e.g., via one or more of user equipment (UE) 180. UI devices 110 are configured to provide information to and/or receive information from the one or more users. UI devices 110 include a UI and/or other components. The UI may be and/or include a graphical UI configured to present views and/or fields configured to receive entry and/or selection with respect to particular functionality of system 100, and/or provide and/or receive other information. In some implementations, the UI of UI devices 110 may include a plurality of separate interfaces associated with processors 120 and/or other components of system 100. Examples of interface devices suitable for inclusion in UI device 110 include a touch screen, a keypad, touch sensitive and/or physical buttons, switches, a keyboard, knobs, levers, a display, speakers, a microphone, an indicator light, an audible alarm, a printer, and/or other interface devices. The present disclosure also contemplates that UI devices 110 include a removable storage interface. In this example, information may be loaded into UI devices 110 from removable storage (e.g., a smart card, a flash drive, a removable disk) that enables users to customize the implementation of UI devices 110.

In some implementations, UI devices 110 are configured to provide a UI, processing capabilities, databases, and/or electronic storage to system 100. As such, UI devices 110 may include processors 120, electronic storage 150, external resources 140, and/or other components of system 100. In some implementations, UI devices 110 are connected to a network 160 (e.g., the Internet). In some implementations, UI devices 110 do not include processor 120, electronic storage 150, external resources 140, and/or other components of system 100, but instead communicate with these components via dedicated lines, a bus, a switch, network, or other communication means. The communication may be wireless or wired. In some implementations, UI devices 110 are laptops, desktop computers, smartphones, tablet computers, and/or other UI devices.

Data and content may be exchanged between the various components of the system 100 through a communication interface and communication paths using any one of a number of communications protocols. In one example, data may be exchanged employing a protocol used for communicating data across a packet-switched internetwork using, for example, the Internet Protocol Suite, also referred to as TCP/IP. The data and content may be delivered using datagrams (or packets) from the source host to the destination host solely based on their addresses. For this purpose the Internet Protocol (IP) defines addressing methods and structures for datagram encapsulation. Of course other protocols also may be used. Examples of an Internet protocol include Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

In some implementations, processor(s) 120 may form part (e.g., in a same or separate housing) of a user device, a consumer electronics device, a mobile phone, a smartphone, a personal data assistant, a digital tablet/pad computer, a wearable device (e.g., watch), augmented reality (AR) goggles, virtual reality (VR) goggles, a reflective display, a personal computer, a laptop computer, a notebook computer, a work station, a server, a high performance computer (HPC), a vehicle (e.g., embedded computer, such as in a dashboard or in front of a seated occupant of a car or plane), a game or entertainment system, a set-top-box, a monitor, a television (TV), a panel, a space craft, or any other device. In some implementations, processor 120 is configured to provide information processing capabilities in system 100. Processor 120 may comprise one or more of a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information. Although processor 120 is shown in FIG. 1 as a single entity, this is for illustrative purposes only. In some implementations, processor 120 may comprise a plurality of processing units. These processing units may be physically located within the same device (e.g., a server), or processor 120 may represent processing functionality of a plurality of devices operating in coordination (e.g., one or more servers, UI devices 110, devices that are part of external resources 140, electronic storage 150, and/or other devices).

As shown in FIG. 1 , processor 120 is configured via machine-readable instructions to execute one or more computer program components. The computer program components may comprise one or more of Target TLD Component 124, Packet Capture Component 126, Packet Disassembly Component 128, Port Analysis Component 130, TLD Analysis Component 132, Alert Component 134, Disruption Component 136, and/or other components. Processor 120 may be configured to execute components 124, 126, 128, 130, 132, 134, and/or 136 by: software; hardware; firmware; some combination of software, hardware, and/or firmware; and/or other mechanisms for configuring processing capabilities on processor 120.

It should be appreciated that although components 124, 126, 128, 130, 132, 134, and 136 are illustrated in FIG. 1 as being co-located within a single processing unit, in implementations in which processor 120 comprises multiple processing units, one or more of components 124, 126, 128, 130, 132, 134, and/or 136 may be located remotely from the other components. For example, in some implementations, each of processor components 124, 126, 128, 130, 132, 134, and 136 may comprise a separate and distinct set of processors. The description of the functionality provided by the different components 124, 126, 128, 130, 132, 134, and/or 136 described below is for illustrative purposes, and is not intended to be limiting, as any of components 124, 126, 128, 130, 132, 134, and/or 136 may provide more or less functionality than is described. For example, one or more of components 124, 126, 128, 130, 132, 134, and/or 136 may be eliminated, and some or all of its functionality may be provided by other components 124, 126, 128, 130, 132, 134, and/or 136. As another example, processor 120 may be configured to execute one or more additional components that may perform some or all of the functionality attributed below to one of components 124, 126, 128, 130, 132, 134, and/or 136.

A target TLD Component 124 may determine one or more target TLDs. For example, External Resources 140, Electronic Storage 150, and/or TLD Database 200 illustrated in FIG. 2 may comprise one or more target TLDs. TLD Database 200 may be a list, external database, server, etc.

A TLD has the highest level in the hierarchical Domain Name System (DNS) of the Internet and may be a segment of a domain that immediately follows the last dot symbol in a domain name. For example, for ppair-my.uspto.gov, gov is the TLD, uspto is the second level, and ppair-my is third-level. Each TLD is managed by an independent organization under the guidance of the Internet Corporation for Assigned Names and Numbers (ICANN).

The TLD database 200 may comprise one more TLDs selected from one or more of the four types of top-level domains (e.g., gTLD 202, ccTLD 204, sTLD 206, and/or Infrastructure TLD 208). For example, Generic Top-Level Domains (e.g., gTLD 202) may contain three or more characters (e.g., .com, .org, .net, .agency, etc.) and may be open for registration by anyone. Country-code Top-Level Domains (e.g., ccTLD 204) may be specific to particular countries or regions, and they typically identify the country or region’s official internet address. For example, .ru is the ccTLD for Russia. Sponsored Top-Level Domains (e.g., sTLD 206) may relate to specific purposes, such as education .edu or government organizations .gov. Infrastructure Top-Level Domains (e.g., Infrastructure TLD 208) have only one domain (e.g., .arpa which stands for Address and Routing Parameter Area) and may be used for Internet-infrastructure purposes.

A packet capture (PCAP) component 126 may intercept data packets travelling over a network (e.g., packet sniffing of a wireless network). Once the packets are captured, they may be stored for further analysis. Collecting and analyzing packet data may provide in-depth packet information such as source and destination of IP addresses, time of capture, protocol information, etc. According to some implementations, PCAP files may be created using a program such as Wireshark. These PCAP files may contain packet data of a network and may be used to analyze the network traffic. Moreover, the PCAP component 26 may capture one or more of the following information: time stamping of packets arrived, collection and parsing packet length, port number, TCP sequence numbers, etc. Moreover, the PCAP component 26 may load and import past sessions of a saved capture file, extract and export packet data into a single packet capture file, and/or provide a real-time view of packets received.

Packet disassembly component 128 may utilize one or more network protocol analyzers, e.g., Wireshark. Packet disassembly component 128 may be used to determine what is happening in captured packet data in as much detail as possible. According to some implementations, captured packets may be displayed with detailed protocol information, captured packet data may be saved, packets may be exported to one or more capture file formats, and/or captured packets may be filtered or searched based on criteria.

According to some implementations, packet disassembly component 128 may capture the Layer 4 header, e.g., the Transfer Control Protocol (TCP) or User Datagram Protocol (UDP) header. The Layer 4 header may send and receive data to and from the applications running on its host. Moreover, the Transport layer may assign port numbers to the processes running in applications on the host and may add a TCP or UDP header to the messages received from the applications detailing source and destination port numbers.

Port analysis component 130 may perform port filtering based on the Layer 4 header. For example, port analysis component 130 may implement port targeting. For example, if the destination port (e.g., port 53) is associated with encrypted traffic and the expression comprises a name field, the packet may be further disassembled by packet disassembly component 28. In another example, if the destination port (e.g., port 443) is associated with domain name system (DNS) queries and the expression comprises a server name indication, the packet may be further disassembled by packet disassembly component 128. If the destination port is not an open port and/or does not match one or more port targeting or port filtering criteria, the process may be terminated.

In some implementations, packets with destination port 443 may be further disassembled by the packet disassembly component 128 for identification, e.g., the payload may be analyzed to determine if it is Transport Layer Security (TLS). For example, the payload may be analyzed to determine if a content type is 22 (e.g., handshake), a handshake type is 1 (e.g., client hello), and the packet contains a Server Name extension, in which case the packet may be further analyzed, e.g., by TLD Analysis component 132. If not, the analysis process may be terminated for the packet.

TLD Analysis component 132 may analyze the packet payload (e.g., for DNS packets) to determine a number of questions associated with the payload. The query for each question may then be processed with one or more regular expressions. For example, the query for each question may be compared with each regular expression from the TLD target deck (e.g., TLD Database 200). If the regular expression matches one of the regular expressions from the TLD target deck, a threshold counter may be increased. Moreover, a log entry may be created. The log entry may contain one or more of the Media Access Control (MAC), internet control (IP) address, fully qualified domain name (FQDN), and/or timestamp.

In an example, for transport layer security (TLS) client hello packets, the Server Name field within the Server Name Indication extension may be processed with regular expressions for every entry within the target deck. If the regular expression matches, the threshold counter may be increased and/or a log entry (e.g., containing the MAC, IP address, FQDN, and/or timestamp) may be created. For example, the regular expression may comprise one or more specific MAC addresses and a threshold condition may relate to the payload including one or more of the specific MAC addresses.

Every time the threshold count is updated, the Alert Component 134 may compare the count to a threshold trigger value. When the threshold count exceeds the threshold trigger value, the Alert component 134 may generate an alert. For example, the Alert Component 134 may alert an operator to a presence of a foreign national. The information contained within the alert may include the MAC address, IP Address, and/or TLD. One or more options may be included, including initiating workflows to other capabilities. For example, an option may be presented for the disruption component 136 to initiate a deauthentication attack to disrupt communications.

FIG. 3 illustrates a multi-stage approach 300 for TLD analysis, in accordance with one or more implementations. The process may start at block 302 by intercepting internet traffic. For example, wireless network traffic may be intercepted (e.g., “sniffed”) from a public wireless network.

At block 304, one or more PCAP files may be created (e.g., by PCAP component 26). The PCAP files may contain packet data of the intercepted network traffic. The PCAP files may be stored locally or remotely and may include information including time stamping of packets arrived, collection and parsing packet length, port number, TCP sequence numbers, etc. An application program interface (API) may be used to generate and/or access the PCAP files.

At block 306, the packet may be disassembled, e.g., by packet disassembly component 28. Disassembly of the packet may include capturing and/or displaying detailed information associated with the packet. For example, a Layer 4 header (e.g., the TCP or UDP header) may be extracted from the packet. Information included in the Layer 4 header may include port numbers assigned to processes running in applications on a host. Moreover, Layer 4 information may include source and destination port numbers.

At block 308, the specific ports may be filtered or targeted (e.g., by port analysis component 130). For example, if a destination port associated with the disassembled packet is port 443, a regular expression associated with the Server Name Indication (SNI) may be determined at block 310. The regular expression (e.g., Regex SNI) may include a TLD and may be an extension to the Transport Layer Security (TLS) computer networking protocol. As another example, if a destination port associated with the disassembled packet is port 53, a regular expression associated with the name field may be determined at block 314. The regular expression (e.g., Regex Name Field) may include a TLD and may be included in the Domain Name System (DNS) computer networking protocol. If the destination port associated with the packet does not include an open port (e.g., port 443 or port 53), the packet may be disregarded at block 316 and the analysis may end at block 318. If the destination port does include an open port (e.g., port 443 or port 53), a payload of the network packet may be analyzed.

At block 312, the regular expression (e.g., from block 310 or block 314) may be compared (e.g., by TLD Analysis component 132) to one or more TLDs from the target deck. If the regular expression does not match one of the regular expressions from the TLD target deck, the packet may be disregarded at block 316 and the analysis may end at block 318. If the regular expression does match one of the regular expressions from the TLD target deck, the result may be logged and a threshold counter may be increased at block 320.

At block 322, the threshold counter may be compared to a threshold value. If the threshold counter exceeds the threshold value, an operator may be alerted (e.g., by Alert Component 134) at block 324. The analysis may end at block 318.

According to an implementation, the Open Service Interconnect (OSI) model 400, used by the public Internet, uses a seven-layer framework as seen in FIG. 4 to describe the functions of a networking system. According to aspects of an implementation, the OSI model 400 may characterize computing functions into a universal set of rules and requirements in order to support interoperability between different products and software. As illustrated in FIG. 4 , the communications between a computing system are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

At the Physical Layer (Layer 1), raw unstructured data bits may be transmitted (electrically or optically) across the network from the physical layer of the sending device to the physical layer of the receiving device. The physical layer may include physical resources such as network hubs, cabling, repeaters, network adapters or modems.

At the Data Link Layer (Layer 2), directly connected nodes may be used to perform node-to-node data transfer where data is packaged into frames. The data link layer may also correct errors that may have occurred at the physical layer.

The data link layer may encompass two sub-layers of its own. The first sub-layer, media access control (MAC), may provide flow control and multiplexing for device transmissions over a network. The second sub-layer, the logical link control (LLC), may provide flow and error control over the physical medium as well as identify line protocols.

The Network Layer (Layer 3) may be responsible for receiving frames from the data link layer and delivering them to their intended destinations based on the addresses contained inside the frame. The network layer may find the destination by using logical addresses, such as IP (internet protocol). At the network layer, routers may route information between networks. When transmitting data, the network layer may add a header containing the source and destination IP addresses (e.g., including a TLD) to the data received from the transport layer. The packet created by the network layer may then be forwarded to the MAC or data link layer.

The Transport Layer (Layer 4) may manage delivery and error checking of data packets. For example, the transport layer may regulate size, sequencing, and ultimately the transfer of data between systems and hosts.

The Session Layer (Layer 5) may control conversations between different computers. For example, a session or connection between machines may be set up, managed, and terminated at layer 5. Session layer services may also include authentication and reconnections.

The Presentation Layer (Layer 6) may format or translate data for the application layer based on the syntax or semantics that an application accepts. The presentation layer may also handle encryption and decryption required by the application layer.

At the Application Layer (Layer 7), both an end user and the application layer may interact directly with a software application. For example, this layer may see network services provided to end-user applications. Moreover, the application layer may identify communication partners, resource availability, and/or synchronizes communication.

FIG. 5 illustrates method 500 for TLD analysis and/or transmitting an alert, in accordance with one or more implementations. Method 500 may be performed with a computer system comprising one or more computer processors and/or other components. The processors are configured by machine readable instructions to execute computer program components. The operations of method 500 presented below are intended to be illustrative. In some implementations, method 500 may be accomplished with one or more additional operations not described, and/or without one or more of the operations discussed. Additionally, the order in which the operations of method 500 are illustrated in FIG. 5 and described below is not intended to be limiting. In some embodiments, method 500 may be implemented in one or more processing devices (e.g., a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information). The processing devices may include one or more devices executing some or all of the operations of method 500 in response to instructions stored electronically on an electronic storage medium. The processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for execution of one or more of the operations of method 500.

At operation 510 of method 500, a target TLD may be received. The target TLD may originate from a particular geographic area of interest (e.g., Russia, China, Iran, etc.) and may be received by a server from a database. Moreover, the target TLD may be one of a plurality of target TLDs included in a list of target TLDs.

At operation 520 of method 500, a network packet of internet traffic may be captured. The network packet may be sniffed or intercepted from a wireless network. The captured packet may be stored. A PCAP may capture information associated with the packet, including packet length, port number, TCP sequence numbers, etc.

At operation 530 of method 500, it may be determined that a destination port of the captured network packet is an open port. For example, the destination port may be associated with DNS queries and the expression may comprise a server name indication. As another example, the destination port may be associated with encrypted traffic and the expression may comprise a name field. Moreover, the destination port

At operation 540 of method 500, a counter may be incremented based on the determined open port and determining a payload of the network packet comprises an expression matching the target TLD. For example, the payload may be analyzed to determine a number of questions associated with the payload. The query for each question may then be processed to determine one or more regular expressions. For example, the query for each question may be compared with each regular expression from the TLD target deck (e.g., TLD Database 200). If the regular expression matches one of the regular expressions from the TLD target deck, the counter may be increased. Moreover, a log entry may be created. The log entry may contain one or more of the Media Access Control (MAC), internet control (IP) address, fully qualified domain name (FQDN), and/or timestamp.

At operation 550 of method 500, an alert associated with the target TLD may be transmitted based on determining the counter exceeds a threshold. For example, an operator may be alerted to a presence of a foreign national. The information contained within the alert may include the MAC address, IP Address, and/or TLD. One or more options may be included, including initiating workflows to other capabilities. For example, an option may be presented to initiate a deauthentication attack to disrupt communications.

FIG. 6A is a system diagram of an example device 30, such as a Terminal device 18 or an Gateway device 14 for example. As shown in FIG. 6A, the Device 30 may include a processor 32, a transceiver 34, a transmit/receive element 36, a speaker/microphone 38, a keypad 40, a display/touchpad/indicator(s) 42, non-removable memory 44, removable memory 46, a power source 48, a global positioning system (GPS) chipset 50, and other peripherals 52. It will be appreciated that the Device 30 may include any sub-combination of the foregoing elements while remaining consistent with an implementation. The Device 30 may also be employed with other devices, as described in this application and as illustrated in the figures.

The processor 32 may be a general purpose processor, a special purpose processor, a digital signal processor (DSP), a plurality of microprocessors, one or more microprocessors in association with a DSP core, a controller, a microcontroller, Application Specific Integrated Circuits (ASICs), Field Programmable Gate Array (FPGAs) circuits, any other type of integrated circuit (IC), a state machine, and the like. The processor 32 may perform signal coding, data processing, power control, input/output processing, and/or any other functionality that enables the Device 30 to operate in a wireless environment. The processor 32 may be coupled to the transceiver 34, which may be coupled to the transmit/receive element 36. While FIG. 6A depicts the processor 32 and the transceiver 34 as separate components, it will be appreciated that the processor 32 and the transceiver 34 may be integrated together in an electronic package or chip. The processor 32 may perform application-layer programs, e.g., browsers, and/or radio access-layer (RAN) programs and/or communications. The processor 32 may perform security operations such as authentication, security key agreement, and/or cryptographic operations, such as at the access-layer and/or application layer for example.

The transmit/receive element 36 may be configured to transmit signals to, or receive signals. For example, in an implementation, the transmit/receive element 36 may be an antenna configured to transmit and/or receive RF signals. The transmit/receive element 36 may support various networks and air interfaces, such as WLAN, WPAN, cellular, and the like. In an implementation, the transmit/receive element 36 may be an emitter/detector configured to transmit and/or receive IR, UV, or visible light signals, for example. In yet another implementation, the transmit/receive element 36 may be configured to transmit and receive both RF and light signals. It will be appreciated that the transmit/receive element 36 may be configured to transmit and/or receive any combination of wireless or wired signals.

In addition, although the transmit/receive element 36 is depicted in FIG. 6A as a single element, the Device 30 may include any number of transmit/receive elements 36. More specifically, the Device 30 may employ MIMO technology. Thus, in an implementation, the Device 30 may include two or more transmit/receive elements 36, e.g., multiple antennas, for transmitting and receiving wireless signals.

The transceiver 34 may be configured to modulate the signals that are to be transmitted by the transmit/receive element 36 and to demodulate the signals that are received by the transmit/receive element 36. As noted above, the Device 30 may have multi-mode capabilities. Thus, the transceiver 34 may include multiple transceivers for enabling the Device 30 to communicate via multiple RATs, such as UTRA and IEEE 802.11, for example.

The processor 32 may access information from, and store data in, any type of suitable memory, such as the non-removable memory 44 and/or the removable memory 46. The non-removable memory 44 may include random-access memory (RAM), read-only memory (ROM), a hard disk, or any other type of memory storage device. The removable memory 46 may include a subscriber identity module (SIM) card, a memory stick, a secure digital (SD) memory card, and the like. In other implementations, the processor 32 may access information from, and store data in, memory that is not physically located on the Device 30, such as on a server or a home computer.

The processor 32 may receive power from the power source 48, and may be configured to distribute and/or control the power to the other components in the Device 30. The power source 48 may be any suitable device for powering the Device 30. For example, the power source 48 may include one or more dry cell batteries, e.g., nickel-cadmium (NiCd), nickel-zinc (NiZn), nickel metal hydride (NiMH), lithium-ion (Li-ion), etc.), solar cells, fuel cells, and the like.

The processor 32 may also be coupled to the GPS chipset 50, which is configured to provide location information, e.g., longitude and latitude, regarding the current location of the Device 30. It will be appreciated that the Device 30 may acquire location information by way of any suitable location-determination method while remaining consistent with an implementation.

The processor 32 may further be coupled to other peripherals 52, which may include one or more software and/or hardware modules that provide additional features, functionality and/or wired or wireless connectivity. For example, the peripherals 52 may include an accelerometer, an e-compass, a satellite transceiver, a sensor, a digital camera (for photographs or video), a universal serial bus (USB) port, a vibration device, a television transceiver, a hands free headset, a Bluetooth® module, a frequency modulated (FM) radio unit, a digital music player, a media player, a video game player module, an Internet browser, and the like.

FIG. 6B is a block diagram of an exemplary computing system 90 on which, for example, the system 100 of FIG. 1 may be implemented. Computing system 90 may comprise a computer or server and may be controlled primarily by computer readable instructions, which may be in the form of software, wherever, or by whatever means such software is stored or accessed. Such computer readable instructions may be executed within central processing unit (CPU) 91 to cause computing system 90 to do work. In many known workstations, servers, and personal computers, central processing unit 91 is implemented by a single-chip CPU called a microprocessor. In other machines, the central processing unit 91 may comprise multiple processors. Coprocessor 81 is an optional processor, distinct from main CPU 91 that performs additional functions or assists CPU 91. CPU 91 and/or coprocessor 81 may receive, generate, and process data related to the disclosed systems and methods for embedded semantic naming, such as queries for sensory data with embedded semantic names.

In operation, CPU 91 fetches, decodes, and executes instructions, and transfers information to and from other resources via the computer’s main data-transfer path, system bus 80. Such a system bus connects the components in computing system 90 and defines the medium for data exchange. System bus 80 typically includes data lines for sending data, address lines for sending addresses, and control lines for sending interrupts and for operating the system bus. An example of such a system bus 80 is the PCI (Peripheral Component Interconnect) bus.

Memory devices coupled to system bus 80 include random access memory (RAM) 82 and read only memory (ROM) 93. Such memories include circuitry that allows information to be stored and retrieved. ROMs 93 generally contain stored data that cannot easily be modified. Data stored in RAM 82 can be read or changed by CPU 91 or other hardware devices. Access to RAM 82 and/or ROM 93 may be controlled by memory controller 92. Memory controller 92 may provide an address translation function that translates virtual addresses into physical addresses as instructions are executed. Memory controller 92 may also provide a memory protection function that isolates processes within the system and isolates system processes from user processes. Thus, a program running in a first mode can access only memory mapped by its own process virtual address space; it cannot access memory within another process’s virtual address space unless memory sharing between the processes has been set up.

In addition, computing system 90 may contain peripherals controller 83 responsible for communicating instructions from CPU 91 to peripherals, such as printer 94, keyboard 84, mouse 95, and disk drive 85.

Display 86, which is controlled by display controller 96, is used to display visual output generated by computing system 90. Such visual output may include text, graphics, animated graphics, and video. This may include, for example, results for TLD analysis. Display 86 may be implemented with a CRT-based video display, an LCD-based flat-panel display, gas plasma-based flat-panel display, or a touch-panel. Display controller 96 includes electronic components required to generate a video signal that is sent to display 86. Display 86, may display sensory data in files or folders using embedded semantics names. Further, computing system 90 may contain network adaptor 97 that may be used to connect computing system 90 to an external communications network, such as network 12 of FIG. 6A and FIG. 6B.

Techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The techniques may be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device, in machine-readable storage medium, in a computer-readable storage device or, in computer-readable storage medium for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program may be written in any form of programming language, including compiled or interpreted languages, and it may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program may be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.

Method steps of the techniques may be performed by one or more programmable processors executing a computer program to perform functions of the techniques by operating on input data and generating output. Method steps may also be performed by, and apparatus of the techniques may be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, such as, magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as, erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory devices; magnetic disks, such as, internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.

Several implementations of the disclosure are specifically illustrated and/or described herein. However, it will be appreciated that modifications and variations are contemplated and within the purview of the appended claims. 

What is claimed is:
 1. A computer program product comprising: a computer-readable storage medium; and instructions stored on the computer-readable storage medium that, when executed by a processor, causes the processor to: receive a target top-level domain (TLD); capture a network packet of internet traffic; determine a destination port of the captured network packet is an open port; increment, based on the determined open port and determining a payload of the network packet comprises an expression matching the target TLD, a counter; and transmit, based on determining the counter exceeds a threshold, an alert associated with the target TLD.
 2. The computer-readable medium product of claim 1, wherein the destination port is determined based on a Transmission Control Protocol/Internet Protocol (TCP/IP) Transport Layer (Layer 4) of the network packet.
 3. The computer program product of claim 1, wherein the instructions further cause the processer to generate a log entry associated with the network packet.
 4. The computer program product of claim 1, wherein the instructions further cause the processer to disrupt, based on determining the counter exceeds a threshold, the internet traffic.
 5. The computer program product of claim 1, wherein the destination port is associated with encrypted traffic and the expression comprises a name field.
 6. The computer program product of claim 1, wherein the destination port is associated with domain name system (DNS) queries and the expression comprises a server name indication.
 7. The computer program product of claim 1, wherein the target TLD is received from a database.
 8. The computer program product of claim 1, wherein the TLD originates from a geographic area of interest.
 9. A system comprising: one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to: receive a target top-level domain (TLD); capture a network packet of internet traffic; determine a destination port of the captured network packet is an open port; determine, based on the determined open port, a payload of the network packet comprises an expression matching the target TLD; and transmit, based the expression matching the target TLD, an alert associated with the target TLD.
 10. The system of claim 9, wherein the destination port is determined based on a Transmission Control Protocol/Internet Protocol (TCP/IP) Transport Layer (Layer 4) of the network packet.
 11. The system of claim 9, wherein the instructions further cause the system to generate a log entry associated with the network packet.
 12. The system of claim 9, wherein the instructions further cause the system to disrupt, based on the expression matching the target TLD, the internet traffic.
 13. The system of claim 9, wherein the destination port is associated with encrypted traffic and the expression comprises a name field.
 14. The system of claim 9, wherein the destination port is associated with domain name system (DNS) queries and the expression comprises a server name indication.
 15. The system of claim 9, wherein the target TLD is received from a database.
 16. The system of claim 9, wherein the TLD originates from a geographic area of interest.
 17. A method comprising: receiving a target top-level domain (TLD); capturing a network packet of internet traffic; determining, based on determining a destination port of the captured network packet is an open port, a payload of the network packet comprises an expression matching the target TLD; and incrementing, based on the expression matching the target TLD, a counter; determining the counter exceeds a threshold; transmitting, based on the counter exceeding the threshold, an alert associated with the target TLD.
 18. The method of claim 17, wherein the destination port is determined based on a Transmission Control Protocol/Internet Protocol (TCP/IP) Transport Layer (Layer 4) of the network packet.
 19. The method of claim 17, wherein the destination port is associated with encrypted traffic and the expression comprises a name field.
 20. The method of claim 17, wherein the destination port is associated with domain name system (DNS) queries and the expression comprises a server name indication. 